Password Attacks

Password Attacksoccur when an account is attacked repeatedly. This is accomplished by using applications known as password crackers, which send possible passwords to the account in a systematic manner.

The attacks are initially carried out to gain passwords for an access or modification attack. There are several types of password attacks:

Brute-Force Attack: A brute-force attack is an attempt to guess passwords until a successful guess occurs.

As an example of this type of attack, imagine starting to guess with “A” and then going through “z”; when no match is found, the next guess series goes from “AA” to “zz” and then adds a third value (“AAA” to “zzz”).

Because of the nature of this routine, this type of attack usually occurs over a long period of time. To make passwords more difficult to guess, they should be much longer than two or three characters (six should be the bare minimum), be complex, and have password lockout policies.

Dictionary Attack: A dictionary attack uses a dictionary of common words to attempt to find the user’s password.

Dictionary attacks can be automated, and several tools exist in the public domain to execute them.

As an example of this type of attack, imagine guessing words and word combination found in a standard English-language dictionary.

For example, if you know that there is a good likelihood that the employees of a particular company are using derivatives of the company name in their passwords, then you can seed those values into the values attempted.

Birthday Attack: A birthday attack is built on a simple premise. If 25 people are in a room, there is some probability that two of those people will have the same birthday.

The probability increases as additional people enter the room. It’s important to remember that probability doesn’t mean that something will occur, only that it’s more likely to occur.

To put it another way, if you ask if anyone has a birthday of March 9th, the odds are 1 in 365 {or 25/365 given the number of people in the room), but if you ask if anyone has the same birthday as any other individual, the odds of there being a match increase significantly.

Although two people may not share a birthday in every gathering, the likelihood is fairly high, and ias the number of people increase, so too do the odds that there will be a match.

A birthday attack works on the same premise: if your key is hashed, the possibility is that given enough time, another value can be created that will give the same hash value.

Even encryption such as that with MD5 has been shown to be vulnerable to a birthday attack.

NOTE: An easy way to think of birthday attack is to think about how the hashing process works. It is possible for two different values to be hashed and give the same result, even though they differ from what was originally used.

Rainbow Table: A rainbow table attack focuses on identifying a stored value. By using values in an existing table of hashed phrases or words (think of taking a word and hashing it every way you can imagine) and comparing them to values found, a rainbow table attack can reduce the amount of time needed to crack a password significantly.

Salt (random bits added to the password) can greatly reduce the ease by which rainbow tables can be used.

Some systems will identify whether an account ID is valid and whether the password is wrong. Giving the attacker a clue as to a valid account name isn’t a good practice.

If you can enable your authentication to either accept a valid ID or password group or require the entire logon process again, you should.